Monday, 22 February 2016

We can use two methods to control traffic with the ASA - policing the traffic and shaping the traffic - in this post I will describe each method and provide some real-world examples.

Traffic Policing: This allows you to set a limit of throughput (in bits/second) and anything above that will be dropped - it also allows you to set maximum burst limits.

For example we may wish to limit HTTP traffic to a public facing web server to prevent a specific web server from saturating all of the bandwidth by limiting www traffic to 5mbps - to do this we apply MFP:

access-list WEBSITE-LIMIT permit tcp host any 66.77.88.99 eq www

class-map WEBSITE-TRAFFIC

match access-list WEBSITE-LIMIT

exit

policy-map WEBTRAFFIC-POLICY

class WEBSITE-TRAFFIC

police output 5000000 conform-action transmit exceed- action drop

exit

exit

service-policy WEBTRAFFIC-POLICY interface outside

Traffic Shaping: This allows you to restrict traffic throughput - but rather than dropping it will attempt to buffer the data and send it later on. For example: